Crooks exploit a zero-day in WordPress eCommerce Plugin to upload a backdoor

Experts from the White Fir Design discovered cybe rcriminals exploited a zero-day flaw in an e-commerce plugin for WordPress to upload a backdoor.

According to the experts from the firm White Fir Design, crooks exploited a zero-day flaw in an e-commerce plugin for WordPress to upload backdoors to affected websites.

The plugin is WP Marketplace, a plugin for the popular WordPress CMS that implements e-commerce features. The plugin is not so popular, it is installed on less than 500 websites worldwide and the bad news it that it is no longer maintained, so the security holes will never be patched. The WP Marketplace was not updated in the last 8 months and last week it was removed from the official WordPress Plugin Directory.

The experts noticed requests for a certain file associated with the flawed WP Marketplace, they discovered that was a scan for websites running the plugin in the attempt to exploit the flaw.

The issue is an arbitrary file upload vulnerability as explained by the experts.

“Within the last day we had a request for the file /wp-content/plugins/wpmarketplace/css/extends_page.css, which is part of the plugin WP Marketplace. Requesting a file from a plugin that isn’t installed on a website is usually indication that a hacker is probing for usage of it before exploiting something. We have also seen some requests for the file in the third-party data we monitor as well.” read the analysis published by White Fir Design. “Seeing as arbitrary file upload vulnerabilities are so likely to be exploited, one of the first things we look for when trying to determine what hackers might be exploiting in a plugin is that type of issue. In this case, we quickly found one. In the file /modules/additional-preview-images.php the function wpmp_upload_previews() is made accessible when loading admin pages (as the function is_admin() tells you that, not if the user is Administrator)”

The researchers from the security firm Sucuri also observed attack attempts in the wild, they confirmed that cyber criminals have been exploiting arbitrary file upload vulnerability to upload a backdoor on the affected websites.

“We checked our Website Firewall logs and confirmed that the WP Marketplace vulnerability is now a part of a hacker’s toolkit. When they detect sites with the installed plugin, they try to exploit the vulnerability and upload backdoors.” states a blog post published by Sucuri.

“Of course, it is not as valuable for hackers as vulnerabilities in popular plugins installed on every other site, but if your toolkit comprises hundreds of smaller vulnerabilities, the success rate will be comparable,” said Sucuri’s Denis Sinegubko. “That’s why plugin developers shouldn’t neglect best security practices even when developing small plugins.”